Description

Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/05/31/2

http://www.securityfocus.com/bid/108540

https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1046

Related Vulnerabilities

CVE-2022-38900 Vulnerability in maven package org.webjars.bowergithub.samverschueren:decode-uri-component

CVE-2020-7784 Vulnerability in npm package ts-process-promises

CVE-2020-28282 Vulnerability in maven package org.webjars.npm:getobject

CVE-2023-28326 Vulnerability in maven package org.apache.openmeetings:openmeetings-parent

CVE-2020-9548 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

High

Classification

CWE-862 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory